“The New Vulnerability” (reviewing Richard Clarke and Robert Knacke, Cyber War: The Next Threat to National Security and What to Do About It)

Jack Goldsmith (Harvard Law)

The New Republic (June 7, 2010)

From the conclusion:

Neither the known causes of cyber insecurity nor extensive worries about the cyber threat are new. The wake-up call came in 1988, when Robert Tappan Morris, a graduate student at Cornell, introduced a “worm”–a self-replicating computer program–on the Internet that was designed to determine the Net’s size but that inadvertently shut down about 10 percent of the sixty thousand computers then connected to it. This event startled the Defense Advanced Research Projects Agency, the futuristic Department of Defense research wing. DARPA had developed what became the Internet to ensure that the command-and-control communications of the American military could withstand nuclear attack, but suddenly its young creation seemed vulnerable from within. DARPA immediately funded a Computer Emergency Response Team, which is still located at the Carnegie Mellon Institute, to coordinate and respond to Internet related computer security concerns.

It also asked the National Research Council to study “the security and trustworthiness” of American computing and communications systems. “We are at risk,” began the subsequent NRC report, which was released in 1991. In terms remarkably similar to Clarke’s, the report noted that America increasingly “depends on computers [for] power delivery, communications, aviation, and financial services,” described these systems as “vulnerable … to deliberate attack,” and declared that only luck had prevented their subversion. “The modern thief can steal more with a computer than with a gun,” it said, adding that “tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.” The report warned that the instability of the international system, and the rapid rise in both reliance on computer systems and the sophistication of computer attacks, meant that the United States was on the cusp of a cyber-security crisis. Cyber threats, it concluded, “are changing qualitatively; they are more likely to be catastrophic in impact.”

The NRC report makes for sober reading today. Its basic analysis of computer-system vulnerabilities would be repeated with slight elaborations over the next two decades in a dozen subsequent NRC reports and a half-dozen high-level executive branch studies. So, too, would its warnings, which are nearly identical to contemporary cries about the cyber threat. Yet no catastrophic cyber event has occurred in the intervening twenty years, despite deeper and deeper integration of computer systems and significantly greater reliance on them in all sectors of society. This has led some to think that the cyber menace is exaggerated. But experts such as Richard Clarke continue to insist that we are on the cusp of a national security crisis related to our dependence on computer systems. “Sometimes the boy who cries wolf can see the wolf coming from a lot further than everyone else,” says the man who before September 11 raised hell inside the government, to little avail, about the looming terror threat to the homeland. Let us hope that the wolf is still far away.

Judge Robertson today released the unclassified version of a previously-reported opinion (previously reported publicly that is, but I don’t think I knew of it or posted about it before on this listserv) ruling for the government on the merits in the case of Omar Mohammed Khalifh, a Libyan citizen held at GTMO. The full 17-page opinion is here. Key points include:

– In proving that a person was “part of” al Qaeda, the Taliban, or associated forces, the government must show that he “received and executed orders” but not that this included actual fighting on behalf of the group.

– The detainee must have been “part of” such a group at the time of capture, and the opinion at first suggests that the burden of proving this lies with the government. The opinion goes on to state, however, that a “petitioner who may once have been part of al-Qaida or the Taliban can show that he was no longer part of such an entity at the time of capture by showing that he took affirmative actions to abandon his membership,” a formulation suggesting that burden of proving vitiation actually lies with the petitioner. The opinion also notes that in some instances vitiation can be demonstrated by the circumstances even absent some affirmative evidence of withdrawal, as Judge Robertson previously held in Salahi. Judge Robertson notes that this requires exceptional circumstances, and that Salahi is on appeal in any event.

– The evidence established that Khalifh was an explosives expert and instructor who worked at al Qaeda’s Jihad Wahl and al Faruq camps in the late 1990s. In 1998 he lost part of a leg in a mine-sweeping accident, and spent much of the next three years recuperating while staying at guesthouses operated by al Qaeda (including guesthouses where senior al Qaeda leadership would stay).

– “While I find that the government has not shown that Khalifh was at Tora Bora or Taloqan or that he personally took up arms against U.S. or coalition forces, it is slicing the law too thin to require such proof. Given the clear proof of his long-standing membership in al-Qaida and the LIFG [a
Libyan Islamist group – note that the court decided it was unnecessary to
determine if LIFG counts as part of al Qaeda or as an associated force], and the absence of any evidence of active dissociation or of a compellingly lengthy lapse in activity (as in Salahi), find that Khalifh was a part of al-Qaida at the time his capture. Accordingly, the petition for writ of habeas corpus is denied. It is SO ORDERBD.”